7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a | Triage

Analysis

max time kernel
56s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:51

Sharing

Report Analysis Logs

General

Target

7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
Size

60KB
MD5

13099983c2cf435a45134e8ac2eba65e
SHA1

185d5a1dc6c9da637154aed7271d08e2b03b4939
SHA256

7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a
SHA512

a5efbb11f9bf6e3e4cd39b1ef311229747c91b746255ca0e64cdc26a20ef2d76862ffe126333928f7cac691c7cdbce3bc2d087a4f53a5a33a6bab8b4043123b4
SSDEEP

1536:ojvJX3kWaJ21LEgiTX9D1HqxLOFp2GpNGl2AP9I:ojx7a+LEgiTX5hUO/vElFPe

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

description ioc process

File created C:\Windows\SysWOW64\Drivers\CelInDriver.sys 7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CelInDrv\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\CelInDriver.sys"	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

Loads dropped DLL 1 IoCs

Processes:

7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

pid process

1320 7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

Drops file in System32 directory 2 IoCs

Processes:

7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\xpdhcp.dll	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
File opened for modification	C:\Windows\SysWOW64\xpdhcp.dll	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

pid	process
1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

pid process

1320 7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

description	pid	process
Token: SeDebugPrivilege	1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
Token: SeDebugPrivilege	1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
Token: SeDebugPrivilege	1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
Token: SeLoadDriverPrivilege	1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe

description	pid	process	target process
PID 1320 wrote to memory of 1204	1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe	Explorer.EXE
PID 1320 wrote to memory of 768	1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe	cmd.exe
PID 1320 wrote to memory of 768	1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe	cmd.exe
PID 1320 wrote to memory of 768	1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe	cmd.exe
PID 1320 wrote to memory of 768	1320	7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
"C:\Users\Admin\AppData\Local\Temp\7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe"
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.exe
3⤵
PID:768

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7fb9ebb08c923d67c43f2eaec68b2b63a8af7010e84e8d4acd8704644a5eac2a.dat
Filesize
45KB

MD5
359bcf92e0341748bc9fd035be1e44ea

SHA1
a48d0a543251fc9accf4c7645ad315f9cc739411

SHA256
054472c173d6dcddd8c84c66b4bc8cd7af42b4860794f7004e37e4e78c871c6a

SHA512
6c82b5b8ea2beb7fc64b79f9bbe0af050697ef58d17d8ac13da76c7077b9d65ed4e54571d41d8bc5da88f6b17b4f9e6978fe0f7000db0dd7559b0977e8a33a13

Download Submit
memory/768-57-0x0000000000000000-mapping.dmp

Download
memory/1320-55-0x0000000001800000-0x0000000001817000-memory.dmp

Filesize
92KB

Download
memory/1320-56-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download